alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:4;)

Added 2013-12-04 20:35:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS?"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:3;)

Added 2012-07-16 19:40:05 UTC

This traffic is from the Pony Downloader (aka Fareit). Zeus is typically the next payload that Pony grabs, but the traffic detected by this rule is Pony.

-- HarryTuttle - 13 Dec 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS?"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:2;)

Added 2012-04-13 18:55:29 UTC


Topic revision: r2 - 2012-12-13 - HarryTuttle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats